Managing security actions in a computing environment based on information gathering activity of a security threat
Abstract
Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer-implemented method performed by an advisement system coupled to a computing environment, the computing environment comprising a plurality of computing assets, the method comprising:
identifying a security threat involving the computing environment;
obtaining state information for the security threat;
determining, based on the state information, that the security threat comprises a malicious process in a reconnaissance state in which the malicious process is attempting to gather information about a structure of the computing environment;
identifying a security action for responding to the security threat based on determining that the security threat comprises a malicious process in a reconnaissance state in which the malicious process is attempting to gather information about a structure of the computing environment;
translating the security action into a process to be implemented at a computing asset of the plurality of computing assets; and
initiating implementation of the security action at the computing asset of the plurality of computing assets.
2. The method of claim 1 , wherein determining, based on the state information, that the security threat comprises a malicious process in a reconnaissance state comprises monitoring incoming connections from an external computing system and determining whether identification information is sought by the external computing system.
3. The method of claim 2 , wherein the identification information comprises internet protocol (IP) addresses, media access control (MAC) addresses, or ports.
4. The method of claim 1 , further comprising obtaining enrichment information for the security threat from at least one internal or external database.
5. The method of claim 4 , wherein identifying the security action for responding to the security threat comprises:
identifying a rule set based on the enrichment information obtained for the security threat; and
identifying the security action associated with the rule set.
6. The method of claim 1 , further comprising:
identifying a plurality of security actions for responding to the security threat; and
initiating implementation of the plurality of security actions at the plurality of computing assets in the computing environment.
7. The method of claim 1 , further comprising:
in response to identifying the security action for responding to the security threat, providing the security action to an administrator of the computing environment; and
after providing the security action to the administrator, receiving input selecting the security action for implementation of the security action at the computing asset of the plurality of computing assets.
8. The method of claim 7 , wherein identifying the security action for responding to the security threat comprises ranking the security action relative to one or more other security actions for responding to the security threat.
9. The method of claim 1 , wherein the security threat includes at least one of a virus or a malware attack.
10. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors, cause performance of operations comprising:
identifying a security threat involving the computing environment;
obtaining state information for the security threat;
determining, based on the state information, that the security threat comprises a malicious process in a reconnaissance state in which the malicious process is attempting to gather information about a structure of the computing environment;
identifying a security action for responding to the security threat based on determining that the security threat comprises a malicious process in a reconnaissance state in which the malicious process is attempting to gather information about a structure of the computing environment;
translating the security action into a process to be implemented at a computing asset of a plurality of computing assets in the computing environment; and
initiating implementation of the security action at the computing asset.
11. The non-transitory computer-readable storage medium of claim 10 , wherein determining, based on the state information, that the security threat comprises a malicious process in a reconnaissance state comprises monitoring incoming connections from an external computing system and determining whether identification information is sought by the external computing system.
12. The non-transitory computer-readable storage medium of claim 11 , wherein the identification information comprises internet protocol (IP) addresses, media access control (MAC) addresses, or ports.
13. The non-transitory computer-readable storage medium of claim 10 storing further instructions that, when executed by one or more processors, cause performance of further operations comprising obtaining enrichment information for the security threat from at least one internal or external database.
14. The non-transitory computer-readable storage medium of claim 13 , wherein identifying the security action for responding to the security threat comprises:
identifying a rule set based on the enrichment information obtained for the security threat; and
identifying the security action associated with the rule set.
15. The non-transitory computer-readable storage medium of claim 10 , wherein identifying the security action for responding to the security threat comprises ranking the security action relative to one or more other security actions for responding to the security threat.
16. A computing device, comprising:
one or more processors; and
a non-transitory computer-readable storage medium storing instructions that, when executed by the one or more processors, cause the computing device to:
identify a security threat involving a computing environment;
obtain state information for the security threat;
determine, based on the state information, that the security threat comprises a malicious process in a reconnaissance state in which the malicious process is attempting to gather information about a structure of the computing environment;
identify a security action for responding to the security threat based on determining that the security threat comprises a malicious process in a reconnaissance state in which the malicious process is attempting to gather information about a structure of the computing environment;
translate the security action into a process to be implemented at a computing asset of a plurality of computing assets in the computing environment; and
initiate implementation of the security action at the computing asset.
17. The computing device of claim 16 , wherein determining, based on the state information, that the security threat comprises a malicious process in a reconnaissance state comprises monitoring incoming connections from an external computing system and determining whether identification information is sought by the external computing system.
18. The computing device of claim 17 , wherein the identification information comprises internet protocol (IP) addresses, media access control (MAC) addresses, or ports.
19. The computing device of claim 16 , the non-transitory computer-readable storage medium storing further instructions that, when executed by the one or more processors, further cause the computing device to obtain enrichment information for the security threat from at least one internal or external database.
20. The computing device of claim 19 , wherein identifying the security action for responding to the security threat comprises:
identifying a rule set based on the enrichment information obtained for the security threat; and
identifying the security action associated with the rule set.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.